New WMF exploit confirmed in spam attacks

In an email advisory I just received from McAfee AVERT labs a new version of the WMF exploit using new Exploit-WMF code released today has been confimed in spam attacks resulting in the installation of a new Backdoor-CEP variant.

An email message containing the Exploit-WMF sample built from this new code has been spammed. The message appears as follows:

Subject: Happy New YearBody: picture of 2006Attachment: HappyNewYear.jpg (actually a WMF file with a .JPG extension)

The attachment causes a new BackDoor-CEP variant to be downloaded and run from www.ritztours[dot]com.

I have not seen a copy of this email yet, and I am not sure if you need to click on the attachment or it will autorun and infect the receiving computer. If anyone comes across this email, please forward it to me ASAP in a password protected zip file to eric@sunbelt-software.com

Here is the email from AVERT Labs:

AdvisoryAVERT is releasing this advisory to make our customers aware of new Exploit-WMF code having been released today and currently being used in spam attacks resulting in the installation of a new Backdoor-CEP variant.

JustificationUpdated DAT files to detect new Exploit-WMF and Backdoor-CEP variants are being prepared now and will be released shortly.

An unofficial patch was made available by Ilfak Guilfanov the main developer of IDA Pro from DataRescue.

SANS own Tom Liston reviewed the patch and we tested it. The SANS reviewed and tested version is available for download. (MD5: 99b27206824d9f128af6aa1cc2ad05bc). THANKS to Ilfak Guilfanov for providing the patch!!

Ilfak’s blog at Hex Blog has more information about this patch including and an MSI file provided by a blog reader that can be deployed to desktops through group policies. Currently this repackaging is also provided ‘AS IS’ without any kind of warranty. After applying either of these patches your computer must be rebooted for it to take affect.